Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "It appears that Skype account information on an Android phone remains readable by all in a standard installation, at least for certain versions of Skype out in the wild. That allows another potentially malicious app to know everything about you that Skype knows (contacts, history of whatever you've chatted about or who you called, phone numbers, personal information). Skype is said to be working to fix for what appears to be a simple file permissions issue. This sheds some more light on how much private information everybody gives away for free by just owning a phone with half a wrong chmod."

I think your explanation is beginning to help me figure this out. With arguments of 7,6,5, or 0 in three positions? I wondered if they meant someone stuck a wrong digit in a command - but that would still be a ridiculous way to say it.

Doubtful. But also mostly irrelevant. There's no way even 10% of Android users have an emulator installed (emulators are allowed in the App Store, btw), and out of all reasonably potential customers, the 99% number is quite reasonable.

Okay, I've seen "Odd Jobs". Some people have weird jobs and I don't doubt your claims that you get work done on a toy. Some people make money setting up model railroads, too. But for most, I still stand by my assertion that it's a toy. It is certainly designed as a toy. That you can use it as a tool is great, and yeah, for you maybe Ben's advice holds. For the other 99.999% of the smartphone buying public, applying Franklin's statement is very inappropriate.

Liberty? Apple isn't a government. You don't sign away any rights to them. Things like iPhones and iPads let you do *more* with them than you could do without them. How does liberty come into play at all?

With all the grief slashdot gives the Apple App Store, when was the last time anyone read about a malicious or flawed app leaking personal information.

Would this really have been more detectable with Apple's approval process?
It's been a while, but I've heard of apps getting passed Apple's approval process that should not have - apps that had hidden functionality even. Flaws like this probably get overlooked all the time.
In fact, Android may have an advantage here. I don't know how iOs apps communicate with each other, but Android apps are sand-boxed with very specific ways they have to communicate.
I'm out of date on my iOs information, though. I'd l

If they store data on the small internal memory it's supposed to be private and only readable by a single app, but if you put the app on the SD card Google considers that data public:"The SD card system is intended to be a shared resource that all apps can access. The functionality you described is the purpose of internal (app private) storage."http://code.google.com/p/android/issues/detail?id=16019 [google.com]

Which, of course, I think is poor security-wise... so feel free to add your own comments and star that if you think the same.;)

"The SD card system is intended to be a shared resource that all apps can access. The functionality you described is the purpose of internal (app private) storage."

That's what I thought although I kept hoping it was not true. That to me seems like a huge, huge oversight since there are many Android devices that basically force you to install apps on external media. It's only a matter of time before you start to see cross-app attacks where code infects other apps, or pulls what should be private data from t

You don't have to store permissions information on the file system. Just create a symlink in the internal storage to the appdata folder on the SD Card. Heck, you could call the directory/external and when the dev needs to save something on the SD card they just save it to 'external' which would symlink to/sdcard/data/appname If the user ever decides to change where the app stores it's data, update the symlink.

The developer would then only have to do:FileWriter f = new FileWriter("external/myFile.txt");

Skype doesn't allow installing on the SD Card (at least the version I tried and promptly uninstalled a few months ago due to it being a resource hog and a battery drain), so even if your hypothetical permission problem for apps installed on SD exists, I don't think it is the problem here. Skype seems to not really be written as an Android app, but as a native app with a thin Android wrapper. I suspect that is the real problem - the install asks for a bunch of permissions that the app should not really need

That depends on what you mean by the phrase "data belonging to any other app".

You haven't heard people complaining about it because most programs have gotten pretty good at storing user data in non-world-readable directories. The mentality is finally becoming a bit more mainstream that "apps" store user data in the user's non-world-readable folder. When they deviate, people start to take notice. Contrast this with 10 years ago where on Windows--while such protections were available--they required knowledgea

In fact that is one of the major selling points, they really put security at the top of the list. Extremely fine grained per app access controls, FIPS compliant encryption, secure wiping and so on. There is little to criticize in that regard, and is one of the reasons the US government loves the things so much (seriously, find a government agency that doesn't use Blackberries for all their employees).

Why does it have anything to do with the OS? The app developer more or less "chose" to share information, even if they did not do it on purpose. No reason proper permissions nor encryption could not of been used.

When you open Skype in the android market, it requests a skyscraper-high list of special permissions. When I saw that, I immediately decided to forget about it. There's no way that it could possibly need that much information to do its job, and now it looks like its even worse that I thought. Sucks that it leaks info like that, but kudos to Google for at least making the risk somewhat visible.

Which is also not the default, Skype set them this way on purpose. According to a comment in TFA, they use some native libraries to access those DBs that run under a different user than the app does because they are trying to obsfucate the Skype protocol. I'm not sure how true all that it but it seems logical/feasible enough.

Which is also not the default, Skype set them this way on purpose. According to a comment in TFA, they use some native libraries to access those DBs that run under a different user than the app does because they are trying to obsfucate the Skype protocol. I'm not sure how true all that it but it seems logical/feasible enough.

Sounds like the sort of behavior that would cause Apple to exclude it from their AppStore. Of course, that would be evil, right ?

You can't actually expect the Slashdot editors to actually know enough to filter out these crap stories, right? What's more important is that it has a catchy headline and thus will drive page and ad clicks!

I don't even want Skype on my phone (LG Ally) but Verizon forces it on you along with a bunch of other crap (CityID, etc.) you can't make them not run at boot up, can't uninstall them, can't move them to the SD, etc. You can kill them with a task killer or manage apps but they start back up.

You answered your own question already it looks like. All phones can currently be rooted. Replacing the kernel on some phones is not possible, but you can always make an kernel module so that you can chainload another kernel. Replacing the kernel is not needed to gain root, only for custom roms.

I will definitely do that after the warranty is through. The LG Ally can be rooted easily and use new kernels but unfortunately they also seem to break frequently. I'm on phone #3 and my wife's is on #3. Rebooting issues and the ear piece going out seem to be frequent issues.